github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/cli/opts/capabilities.go (about)

     1  package opts
     2  
     3  import (
     4  	"sort"
     5  	"strings"
     6  )
     7  
     8  const (
     9  	// AllCapabilities is a special value to add or drop all capabilities
    10  	AllCapabilities = "ALL"
    11  
    12  	// ResetCapabilities is a special value to reset capabilities when updating.
    13  	// This value should only be used when updating, not used on "create".
    14  	ResetCapabilities = "RESET"
    15  )
    16  
    17  // NormalizeCapability normalizes a capability by upper-casing, trimming white space
    18  // and adding a CAP_ prefix (if not yet present). This function also accepts the
    19  // "ALL" magic-value, as used by CapAdd/CapDrop.
    20  //
    21  // This function only handles rudimentary formatting; no validation is performed,
    22  // as the list of available capabilities can be updated over time, thus should be
    23  // handled by the daemon.
    24  func NormalizeCapability(cap string) string {
    25  	cap = strings.ToUpper(strings.TrimSpace(cap))
    26  	if cap == AllCapabilities || cap == ResetCapabilities {
    27  		return cap
    28  	}
    29  	if !strings.HasPrefix(cap, "CAP_") {
    30  		cap = "CAP_" + cap
    31  	}
    32  	return cap
    33  }
    34  
    35  // CapabilitiesMap normalizes the given capabilities and converts them to a map.
    36  func CapabilitiesMap(caps []string) map[string]bool {
    37  	normalized := make(map[string]bool)
    38  	for _, c := range caps {
    39  		normalized[NormalizeCapability(c)] = true
    40  	}
    41  	return normalized
    42  }
    43  
    44  // EffectiveCapAddCapDrop normalizes and sorts capabilities to "add" and "drop",
    45  // and returns the effective capabilities to include in both.
    46  //
    47  // "CapAdd" takes precedence over "CapDrop", so capabilities included in both
    48  // lists are removed from the list of capabilities to drop. The special "ALL"
    49  // capability is also taken into account.
    50  //
    51  // Note that the special "RESET" value is only used when updating an existing
    52  // service, and will be ignored.
    53  //
    54  // Duplicates are removed, and the resulting lists are sorted.
    55  func EffectiveCapAddCapDrop(add, drop []string) (capAdd, capDrop []string) {
    56  	var (
    57  		addCaps  = CapabilitiesMap(add)
    58  		dropCaps = CapabilitiesMap(drop)
    59  	)
    60  
    61  	if addCaps[AllCapabilities] {
    62  		// Special case: "ALL capabilities" trumps any other capability added.
    63  		addCaps = map[string]bool{AllCapabilities: true}
    64  	}
    65  	if dropCaps[AllCapabilities] {
    66  		// Special case: "ALL capabilities" trumps any other capability added.
    67  		dropCaps = map[string]bool{AllCapabilities: true}
    68  	}
    69  	for c := range dropCaps {
    70  		if addCaps[c] {
    71  			// Adding a capability takes precedence, so skip dropping
    72  			continue
    73  		}
    74  		if c != ResetCapabilities {
    75  			capDrop = append(capDrop, c)
    76  		}
    77  	}
    78  
    79  	for c := range addCaps {
    80  		if c != ResetCapabilities {
    81  			capAdd = append(capAdd, c)
    82  		}
    83  	}
    84  
    85  	sort.Strings(capAdd)
    86  	sort.Strings(capDrop)
    87  
    88  	return capAdd, capDrop
    89  }